Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Baby Panda Goes After Jailbroken Apple iPhones

Like a panda on a mission to seek out all available bamboo, the malware inserts itself into the running processes of jailbroken devices and lifts credentials
Like a panda on a mission to seek out all available bamboo, the malware inserts itself into the running processes of jailbroken devices and lifts credentials

The bug, dubbed “Unflod Baby Panda,” was first brought to light via a comments thread on Reddit. 

While details on the malware’s source are somewhat murky still, security firm SektionEins did an analysis of Baby Panda and found it to have likely Chinese origins. In the code, there are “several indicators that a chinese party is involved,” the firm said. “It is however unclear at the moment how the actual malware binaries end up on jailbroken iPhones.”

However, SektionEins was able to partially figure out the anatomy of the threat. Like a panda on a mission to seek out all available bamboo, the malware inserts itself into the running processes of jailbroken devices and lifts credentials. 

“It comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections,” the firm noted. “From these connections, it tries to steal the device’s Apple ID and corresponding password and sends them in plaintext to servers with IP addresses in control of U.S. hosting companies, for apparently Chinese customers.”

Those with jailbroken phones should look at the /Library/MobileSubstrate/DynamicLibraries/ folder to see if the file “Unflod.dylib” is housed there. If it is, then victims can use iFile to locate the malware files Unflod.dylib and Unflod.plist, then delete them permanently using a file deletion tool like iShredder. A full restore to factory settings will also do the trick.

Affected users should also of course change their Apple ID passwords, and enable two-step verification.

What’s Hot on Infosecurity Magazine?